JavaScript Web server and apps are Vulnerable to DoS attack.

JavaScript-based web apps and server are found vulnerable to a particular type of DoS attack i.e. ReDoS. ReDoS stands for Regular Expression (regex) Denial of Service attack.

This vulnerability comes into the execution when a victim is flooded by a large and complex piece of string in an open and invalidated input to a web server or app based on JavaScript.

If the server is not designed to handle special conditions then it may end up blocking the entire app or the server in order to analyse the input string.

Programming Languages other than JavaScript have similar problems with the performance especially in pattern matching operations and ReDoS attacks, but they are excessively high in the case of JavaScript.

This is due to the reason that most of the JavaScript server is based on single-thread execution at a time and every request is handled by the same thread.

The functionality of ReDos attack is it slows the entire server, rather than targeting a particular operation.

ReDos attack was introduced in 2012 but got famous in case of JavaScript servers in a research paper published in 2012. Back than JavaScript and Node.js were not huge software as they are now in web development, due to this ReDoS was ignored for another half of decade.

Out of all the vulnerabilities in Node.js libraries and application, 5% were ReDoS vulnerabilities as mentioned in a research paper in 2017.

As per the latest news, ReDoS is gaining momentum in the JavaScript community now.

Cristian-Alexandru Staicu and Michael Pradel, reachers form the Technical University in Darmstadt, Germany, told Node.js have 25 previously unknown vulnerabilities.

They also mentioned that an attacker could craft special exploit packages and attack websites or servers using any of these 25 libraries.

Any vulnerable site exploited using these packages can freeze the site for minutes. But when this action did repeatedly can cause the server down.

Approximately 340 sites are vulnerable to ReDoS attacks.

A good relief is that some ReDoS issues were patched.

Besides JavaScript, Java is also known to be affected by ReDoS attacks. In 2017, researchers from the University of Texas at Austin created a tool named Rexploiter, which they used to find 41 ReDoS vulnerabilities in 150 Java programs collected from GitHub.